MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 646492cdcf4be74a0bae1711eb6902d8d2cc887519fe26c6bd7a84f3387d4a9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 9 File information Comments

SHA256 hash:	646492cdcf4be74a0bae1711eb6902d8d2cc887519fe26c6bd7a84f3387d4a9d
SHA3-384 hash:	f1b30a12881dce621f4e80c76d01f98f4a5caa6c17473e382965d3e0b628403079d4fb325057095bc57d20decc47a680
SHA1 hash:	f6d61590fcc225b16dae79d689bb2d73c27f49f5
MD5 hash:	8c69181e218d120c2222c285f73f3434
humanhash:	lamp-xray-two-carpet
File name:	SecuriteInfo.com.Trojan.PWS.Siggen3.2213.12376.25059
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	3'276'200 bytes
First seen:	2021-08-17 10:03:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep	98304:RQ8xJ9f7O1TUbzNXGGDamN1+Wma1v1WXnc:RQkJ9zFB/N17gc
Threatray	1'033 similar samples on MalwareBazaar
TLSH	T120E52242B3D58131F9BA0236D4EB05100E716D9D55F2D21F1EB0EB4E2973A926C37BAB
dhash icon	968cb27373b2e8f0 (1 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

119

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3ac11263__php-echo-the-ti.zip

Verdict:

Malicious activity

Analysis date:

2021-08-17 01:41:26 UTC

Tags:

evasion autoit trojan stealer vidar loader rat redline phishing opendir raccoon danabot

Link:

https://app.any.run/tasks/9487042c-e840-486e-9d06-0385a83be926

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/179931/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen3.2213.12376.25059.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

Sending a UDP request

Connection attempt

Sending an HTTP POST request

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a window

Creating a file

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/86c155e9-1a83-427b-bdd2-8653486c247d

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/834251

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/646492cdcf4be74a0bae1711eb6902d8d2cc887519fe26c6bd7a84f3387d4a9d/

Threat name:

ByteCode-MSIL.Trojan.Sabsik

Status:

Malicious

First seen:

2021-08-17 00:48:13 UTC

AV detection:

21 of 47 (44.68%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mrsjftopjptuuc5oc4i6w2ic3djmzcdvdh7cnrv5pkcpgod5jkoq._file

Verdict:

unknown

RedLineStealer

4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b

RedLineStealer

663d11c6a687961e8b5cda09b720a9511d972a9ea164cf8c385037a33eea53fa

RedLineStealer

6814143c59108c0010bd29365823a38f61062a1978987b4798671334aa496740

RedLineStealer

7332c0a22bffbb024052e842388e8a34d5d82d88ed0187ea16ddc810bf352604

RedLineStealer

a7b172d3fb0092b616e486d62a628e6fa09608d9e9a54773bc34fd37f2227a3e

RedLineStealer

b9f79bcb4c0ea9e939b35813e807fda308b7038f1dea613e7d8bbd7fe127ac84

RedLineStealer

c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1

RedLineStealer

c8b1c11bf16a1052dffb6942d955c31cdad7f0b154e1f855882d4d95359efa54

RedLineStealer

+ 1'023 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery evasion infostealer spyware stealer themida trojan

Link:

https://tria.ge/reports/210817-qbfhcs63dj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Reads user/profile data of web browsers

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

RedLine

Unpacked files

SH256 hash:

dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a

MD5 hash:

c02a029c978f13b753c6b578b1588c75

SHA1 hash:

e125d59451e7f467bfd329a00a506decbcd91d83

Link:

https://www.unpac.me/results/3fff5387-273b-46f4-b207-c3ebaef3a6b1/

SH256 hash:

646492cdcf4be74a0bae1711eb6902d8d2cc887519fe26c6bd7a84f3387d4a9d

MD5 hash:

8c69181e218d120c2222c285f73f3434

SHA1 hash:

f6d61590fcc225b16dae79d689bb2d73c27f49f5

Link:

https://www.unpac.me/results/3fff5387-273b-46f4-b207-c3ebaef3a6b1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.34

Link:

https://yomi.yoroi.company/submissions/646492cdcf4be74a0bae1711eb6902d8d2cc887519fe26c6bd7a84f3387d4a9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_new_mem Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8/

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)